Threat-Informed Defense and Purple Teaming: Lessons from U.S. Cyber Command

Lessons from U.S. Cyber Command By Jonathan Reiber and Ben Opel One of AttackIQ’s mottos is, “Think Bad. Do Good.” Security planners throughout history have practiced that formulation. Put simply, it means to secure yourself, you need to think like the adversary. How will they target you? What can you do to… Read More

Lessons from U.S. Cyber Command

By Jonathan Reiber and Ben Opel

One of AttackIQ’s mottos is, “Think Bad. Do Good.” Security planners throughout history have practiced that formulation. Put simply, it means to secure yourself, you need to think like the adversary. How will they target you? What can you do to defend yourself against their approach? It means taking on a “threat-informed” approach to security planning.

What does “threat-informed defense” mean in practice at the strategic and tactical level? In the years after September 11, 2001, for example, the United States built tight bonds between the intelligence community and military operators to understand and confront extremist groups. The result of this integration was that forward operating bases in Afghanistan came to look more like the headquarters and command centers of yesterday. Intelligence flowed from drone feeds on the battlefield, but also from analysts back home, and a tight feedback loop developed between those studying the adversary and the forces deployed downrange to defend the United States.

Cybersecurity demands a similarly tight intelligence-operations link. Adversaries no longer need missiles or ships to target the United States; without ever leaving home, they use cyberspace to target data anywhere on earth. Every part of civilization turned into a potential target.

Long gone are the days when society perceived the Internet as some kind of utopia devoid of conflict. Yet security administrators have failed to adopt a threat-focused mindset. Historically, network defenders in the public and private sectors often focused their work on meeting baseline cybersecurity best-practices: correcting misconfigurations, administering patches, and deploying commercial cybersecurity products. They often outsourced the “think bad” part of the equation to adversary-focused “red” teams that would try to break past their network defenses.

Absent a threat-informed defense approach, security teams risk strategic drift, prioritizing compliance standards and fixing network configurations instead of focusing on defending themselves against known, dangerous threats and behaviours. Over the last decade, the U.S. military has been at the forefront in transitioning from a “network defense” approach to a “threat-informed defense” approach to cybersecurity. It has taken time for the U.S. Cyber Mission Force to evolve to this place, and other organizations can draw lessons from the experience. Three lessons matter: 

  1. understand the adversary’s approach; 
  2. identify your valuable data and defense capabilities; 
  3. build tight bonds between teams to focus on known threats and test your defenses.

Organizationally, it’s also important to appoint a leader to manage “threat-informed defense” across the organization.

Threat-Informed Defense in the U.S. Cyber Mission Force

How did U.S. Cyber Command (USCYBERCOM) adopt a “threat-informed defense approach, and what lessons does it offer the rest of the world? U.S. Cyber Command is responsible for planning the majority of U.S. military missions in cyberspace. It emerged from the U.S. National Security Agency (NSA) in 2008-9 because of that agency’s role as a military intelligence organization and historic focus on signals intelligence and cryptanalysis. But the NSA needed to focus on intelligence, and the military needed an operational force that could integrate with other military components under the President and Secretary of Defense to defend the United States.

Since USCYBERCOM’s founding, however, the two organizations have remained under one leader,  a “dual-hat” four-star general or flag officer who is both an intelligence leader, the Director of the NSA, and the combatant commander of USCYBERCOM. The combination provides an intelligence-operations advantage given the nature of cyberspace. 

What does this mean in practice? At a strategic level, in advance of the 2018 U.S. Congressional elections, staff at the NSA and USCYBERCOM formed a Russia-focused “small group” to defend the country against Russian government election interference. As General Paul Nakasone, the USCYBERCOM, reported to Congress in late 2019, “The tight links between USCYBERCOM and NSA created a mutually beneficial, intelligence-operations cycle that let us rapidly find and follow leads, discover new information, and create opportunities to act in conjunction with partners.” Intelligence flowed into the defensive planning cycle; the organizations remained separate, but the leader can direct them to operate together.

As the U.S. military took on an increasing operational role in cyberspace, defenders focused on adversary tactics, techniques, and procedures. Today the defensively-minded Cyber Protection Teams in the Cyber Mission Force of U.S. Cyber Command are often the premier students of the adversary.  In 2015, when Russian government attackers broke into Pentagon networks, Cyber Protection Teams on the National Mission Force were well-positioned to help remove them. They understood the Russian government’s tactics better than anyone.

Building Purple Teams 

So what does this approach mean for security teams tactically? The good news is that integrating an adversary mindset requires organizational effort but not necessarily new team members. Adopting a threat-informed defense approach is more of a methodology, analogous to the Cyber Protection Team mindset and the Russia Small Group that General Nakasone outlined.

It does mean that organizations need to shift away from the traditional blue/red organizational paradigm and towards “purple teams.” Defensive teams were named “blue” historically as they focused on protecting the network terrain. In addition to these blue teams, organizations devoted resources to “red” teams or penetration teams to adopt an adversarial approach and test the blue team’s defenses. Blue teams were naturally larger given their ever responsibilities and, over time, compliance requirements. Red teams were smaller and testing occurred periodically and not at the requisite scale to validate the blue team’s defense effectiveness. If blue teams fail to orient towards the most important and likely threats, security resources are wasted. Absent effective testing, security controls are likely to fail when the adversary attacks, granting the adversary easy passage to an organization’s crown jewel data assets.

A blue team becomes “purple” when it emulates the adversary as a means of self-evaluation. In the process of adopting a threat-informed defense strategy, blue teams should ask whether: 

  1. They understand the most dangerous threats they face and which are most likely to impact their operations. What tactics, techniques, and procedures will the adversary deploy? Teams can prepare for known adversary threats using MITRE ATT&CK.
  2. They understand their organizational mission, center of gravity, and critical vulnerabilities. What will the adversary seek to hold at risk? What are their “crown jewel” applications? How will the adversary seek to engage those assets?
  3. They understand and trust their security controls architecture and teams. Have security controls been tested and validated against known threats? Is everyone working together?

To be threat informed, teams should be familiar with the overarching threat landscape, their defense capabilities, and their organization. They should be able to self-iterate their security posture. They can clear low-effort attacks, validate security controls, and challenge advanced threats by defending themselves against known adversary tactics, techniques and procedures. By becoming threat-informed and deploying automated adversary emulations, whether in the U.S. military or the health sector, security teams force the adversary to change their game — making it that much harder to achieve their objectives.

In a way, General Nakasone is the military’s “director of threat-informed defense” for cyberspace. His role and position should provide an analogous function for security teams as they evolve. The role will not require a new team member, but someone who is dual-hatted to lead purple teams forward in a threat-informed defense strategy. 

For more on this topic, Jonathan and Ben dive into threat-informed defense operations in a new video podcast:

Below is an additional video podcast about purple team operations for countering APT-29 with Jose Barajas, Jonathan, and Ben: